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IN THE CLAIMS 



/r- r 1 . /currently amended) A methid for providing access control management to 
-^rf / electronic data, the method comprising: 

establishing a secured lin < with a client machine when an authentication request 
is received from the client machine, the authentication request including an 

i jser of the client machine to access the electronic data, 
data is secured in a format including security 
information and an encrypted data portion, the security information including a 
es and controlling restrictive access to the encrypted 



identifier identifying a 
wherein the electronic 




file key and access ru i 
data portion; 

authenticating the user according to the identifier; and 

activating a user key after the user is authenticated, wherein the user key is used 
to access the access rules in the security information , the file key can be 
retrieved to decrypt ttle encrypted data portion only if access privilege of the 
user is successfully measured by the access rules. 

. (Original) The method as recited in Claim 1 furthe/ comprising maintaining an 
access control management, wherein the access control management comprises: 
a rule manager including at least one set of rules for the electronic data; and 
an administration interface from which the rules for a designated place for the 
electronic data are created, managed, or updated: 



3. (Previous amended) The methofl as recited in Claim 2, wherein the designated 
place is a folder and all files in the folder are subject to the rules. 

4. (Previous amended) Ther method as recited in Claim 2, wherein the designated 
place is a repository arid all files in the repository are subject to the rules. 

5. (Previously amended) The method as recited in Claim 2, wherein the rule manager 
provides a grapl^fc user interface from which the rules can be created, managed or 
updated. 
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6. (Previously amended) The method as recited in Claim 5, wherein parameters 
determining the rules from the graphic user interface are subsequently expressed in 
a markup language. 



7. (Previously amended) The mdthod as recited in Claim 6, wherein the parameters 
expressed in the markup language are uploaded to the client machine after the user 
is authenticated. 

8. (Previously amended) The rrothod as recited in Claim 7, wherein the markup 
language is Extensible Access Control Markup Language. 



9. (Original) The method as rented in Claim 7, wherein the markup language is 
selected from a group consisting of HTML, XML and SGML. 



10. (Original) The method as refcited in Claim 2, wherein the access control 
management further comprises a user manager coupled to a database including a 
list of authorized users anq respective access privileges associated with each of the 
authorized users. 

1 1 . (Original) The method as ijecited in Claim 10, wherein the authenticating of the user 
comprises: 

looking up in the database for the user; and 

getting, from the datat ase, access location information as to where the user is 
authorized to access the electronic data if information about the user is 
located in the database. 



12. (Original) The method 
the client machine; and 
determining, from the 
permitted by the user to 



recited in Claim 11, wherein the identifier further identifiers 
^herein the authenticating of the user comprises 
acpess location information, whether the client machine is 
access the electronic data. 
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^.(Previously amended) The method as recited in Claim 1 1 , wherein the access 
location information pertains to locations tar specific client machines from which the 
user is authorized to access the electronic data. 

^.(Original) The method as recited in Claim 1, wherein the user key is in the client 
machine; and wherein the activating of/the user key comprises: 
sending an authentication message to the client machine; and 
activating the user key with the authentication message. 

^.(Previously amended) The method afe recited in Claim 14, wherein the electronic 
data, when secured, includes a header that further includes the security information 
being encrypted and a signature signifying that the electronic data is secured. 

^.(Cancelled) 

17 '.(Original) The method as recited in Claim 1 further comprising associating the 
activated user key with the user Ibcally. 

18. (Previously amended) The method as recited in Claim 17, wherein the electronic 
data, when secured, includes a neader that includes the security information being 
encrypted and a signature signifying that the electronic data is secured; the 
encrypted security information including the access rules and a file key, and wherein 
the method further comprises: [ 

receiving the header from trie client machine; 

decrypting the security information in the header to retrieve the access rules 

therein; and J 
retrieving the file key when jthe access rules are measured successfully against 

access privilege of the user. 
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^.(Original) The method as recited in Claim n8 further comprising sending the file key 
to the client machine in which the encrypted data portion can be decrypted with the 



file key by a cipher module executing in the client machine. 



20 .(Previously amended) A method for providing access control management to 
electronic data, the method comprising:/ 

authenticating a user attempting to access the electronic data; 

maintaining a private key and a pudlic key, both associated with the user, 
wherein the electronic data, wh^en secured, includes a header and an 
encrypted data portion, the header further includes security information 
controlling who, how, when and where the secured electronic data can be 
accessed and the encrypted data portion is an encrypted version of the 
electronic data according to 3 predetermined cipher scheme; 

encrypting the security information with the public key when the electronic data is 
to be written into a store; ana 

decrypting the security information with the private key when the electronic data 
is to be accessed by an application. 



21. (Previously amended) The method) as recited in Claim 20, wherein the authentication 
of the user comprises: 

establishing a link with a client machine from which the user is attempting to 

access the electronic data; 
demanding credential information from the user; and 
receiving the credential information from the client machine over the link. 



22.(Original) The method as recited 
includes a pair of usemame and 



23.(Original) The method as recited in 
includes biometric information capjtured 
the client machine. 



Claim 21, wherein the credential information 
password provided by the user. 



Claim 21, wherein the credential information 
from the user by an apparatus coupled to 
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24. (Previously amended) The method as recited in Claim 2y wherein the encrypting of 
the security information with the public key comprises: / 

receiving access rules and a file key, wherein the file key has been used to 

produce the encrypted data portion in the clipnt machine; 
including the access rules and the file key intoihe security information; and 
encrypting the security information with the public key. 



25. (Original) The method as recited in Claim 2* further comprising: 

generating the header with the securiy^information encrypted therein; and 
uploading the header to the client machine where the header is integrated with 
the encrypted data portion. / 

26. (Original) The method as recited in/ciaim 24, wherein the access rules are 
expressed in a markup language^ 

27. (Original) The method as recited in Claim 26, wherein the markup language is one 
of Extensible Access Control/Markup Language, HTML, XML and SGML. 

28. (Original) The method as;ecited in Claim 21, wherein the decrypting of the security 
information with the private key comprises: 

receiving the head } jl from the client machine over the link; 
parsing the security information from the header; and 
decrypting the security information with the private key. 

29. (Original) The metnod as recited in Claim 28 further comprising: 

obtaining access rules from the security information; 

determining /whether the access rules accommodate access privilege of the user; 
when the determining succeeds, 

retrieving a file key from the security information; and 
sending the file key to the client machine over the link. 
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when the determining fails, 

sending an error message to the client machine over the link. 






3p. (Currently amended) The method as recited in Claim 29 x whepSin the error message 
indicates that the user does not have the access privilege^ access the electronic 
data. 

31 . (Currently amended) A method for providing acp^ss control management to 
electronic data, the method comprising: 

receiving a request to access the electronic data; 
determining security nature of the electronic data; 
when the security nature indicates that the electronic data is secured, the 
electronic data including a header and an encrypted data portion, the header 
including security information controlling restrictive access to the encrypted 
data portion and the'encrypted data portion is an encrypted version of the 
electronic data according to a predetermined cipher scheme, 

determining from the security information if the user has necessary access 
privilege to access the encrypted data portion without consulting with 
another machine ; and 
obtaining a file kev and decrypting the encrypted data portion with the file 
key only after the user is determined to have the necessary access 
privilege to access the encrypted data portion. 

_^ 

32. (Original) The method as recited in Claim 31 further comprising retrieving a user key 
associated with a user making the request. 



33.(Originaf) The method as rei ated in Claim 32 wherein said determining from the 
security information if the user has necessary access privilege comprises: 
decrypting the security information with the user key; 



retrieving access rules fr|om the security information; and 
measuring the access rules against the access privilege of the user. 



• rul< 
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^.(Original) The method ai recited In Claim 33 further comprising: 

retrieving a-the filjs key from the security information if the measuring of the 
access rules against the access privilege succeeds. 



35. (Original) Tb6 method as recited in Claim 33 further comprising: 

causing the client machine to display an error message to the user if the 
leasuring of the access rules against the access privilege fails. 




y^j. (Currently amende^ The method as recited in Claim 32, wherein the retrieving of 
the user key comprise *s: 

establishing a link with a server executing an access control management; 
sending to the server an authentication request including an identifier identifying 

the user for thelaccess control management to authenticate the user; 
forwarding the header to the server; and 
receiving a -the file key retrieved from the header. 



)7. (Original) The method as recited in Claim 36 further comprising: 



activating a cipher module; and 

decrypting the encrypted data portion by)Ke cipher module with the received file 
key. 




^.(Original) The method as recited in Claim 37 further comprising loading the 
decrypted data portion into the application. 

39. (Original) The method as recited in Claim 32, wherein the retrieving of the user key 
comprises: 

establishing a link wrtfi a server executing an access control management; 
sending to the server an authentication request including an Identifier identifying 

the user for the access control management to authenticate the user; 
receiving an authentication message after the user is authenticated; and 
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activating the user key locally in the client machine. 

4Q.(Original) The method as recited in Claim 39, wherein the user key is in an illegible 
format before the activating of the user key locally in the client machine. 



41 .(Currently amended) A system for providing access control management to 
electronic data, the method comprising: 

a client machine executing a document securing module that operates in a path 
through which the electronic data is caused to pass when selected, the 
document securing module determining security nature of the electronic data, 

an access control server coupled to the client machine over a network, the 
access control server including an account manager mana^jpgall users who 
access the electronic data; and 

wherein the client machine and a user thereof are caused by the document 
securing module to be authenticated with the access control server when the 
security nature indicates that the electronic data is secured; and 

wherein access rules in the secured electronic data are retrieved with a user key 
associated with the use r to test against access privilege of the user to 
determine if the user can access the secured electronic data. 

42. (Currently amended) The system as recited in Claim 41, wherein the access wles 
are measur e d against aocooo privilege of the use r is also tested against other rules 
imposed bv the system . 

43. (Currently emended) The system as recited in Claim 412, wherein the document 
securing module activates a cipher module to decrypt an encrypted data portion in 
the secured electronic data with a file key obtained therefrom after the document 
securing module determines that the access privilege of the user is permitted by the 
access rules. 
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44. {Previously amended) The system as reoited in Claim 43, wherein the user key stays 
in the access control server that receives part of the secured electronic data; and 
wherein the access rules and the file k^y are obtained from the part of the secured 
electronic data 

45. {Previously amended) The system ai recited in Claim 44, wherein the access control 
server forwards the file key to the client machine in a secured form over the network. 

46. {Previously amended) The system/as recited in Claim 43, wherein the user key stays 
in the client machine and is activated when both the client machine and the user are 
authenticated by the access control server. 



\ 



47. {Previously amended) A system/for providing access control management to 
electronic data, the method comprising: 

a storage device including ai least an active place designated for keeping the 
electronic data secured Jthe secured electronic data including encrypted 
security information thatf further includes at least a set of access rules and a 
file key, wherein the access rules, expressed in a descriptive language, 
protects the file key an0 controls restrictive access to the secured electronic 
data; 

a client machine coupled jo the storage device and executing a document 

securing module operative to intercept the electronic data when the electronic 
data is caused to transport from the active place; 

an access control server coupled to the client machine over a network and 
receiving a part of the electronic data including the encrypted security 
information from the client machine, the encrypted security information being 
decrypted with a usejr key associated with a user attempting to access the 
electronic data after/both the user and the client machine are authenticated; 

wherein the set of access rules are measured against access privilege of the 
user In the access control server, if successful, the file key is returned to the 
client machine to facilitate a recovery of the electronic data in clear mode. 
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^—-^STScwrrcnf/y amended) A software product to be executable in a<£mputing device for 

y) /providing access control management to electronic data^irie software product 
7r ✓ X comprising: 

^ program code for establishing a secured linktfith a client machine when an 
authentication request is received therefrom, the authentication request 
including an identifier identifying user from the client machine to access the 
electronic data in a secured^iormat including a file key and security 
information and an encrypted data, the security information including access 



rules and controllin^restrictive access to the encrypted data portion; 
program code for authenticating the user according to the identifier; and 
program code foracttvating a user key after the user is authenticated, wherein 
the user key is used to access the access rules in the security information^ 
the flle/t<ev can be retrieved to decrypt the encrypted data portion only if 



access privilege of the user is successfuHvjneasureti fay the access rules . 




49. (Previously amended) The software produrf as recited in Claim 48 further 

iprising program code for maintaining an access control management, wherein 
the access control management cojrfprises: 

a rule manager including at \&ast one set of rules for the electronic data; and 
an administration interfacprrom which the rules for a designated place for the 
electronic data are created, managed or updated. 



50. (Previously amendem The software product as recited in Claim 49, wherein the 
designated place iVa folder and all files in the folder are subject to the rules. 

51. (Previously amended) The software product as recited in Claim 47, wherein the 
designated p>face is a repository and all files in the repository are subject to the rules. 
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52. {Previously amended) The software product as recited in Ciaim 47, wherein the rule 
manager provides a graphic uspr interface from which the rules can be created, 
managed or updated. 

53. (Previously amended) The software product as recited in Claim 52, wherein 
parameters determining the ndes from the graphic user interface are subsequently 
expressed in a markup language. 

54. (Previously amended) The software product as recited in Claim 53, wherein the 
parameters expressed in the markup language are uploaded to the client machine 
after the authenticating of the user succeeds. 

y 55. (Previously amended) The software product as recited in Claim 54, wherein the 
markup language is Extensible Access Control Markup Language. 



5S.(0riginal) The software product as recited in Claim 54, wherein the markup language 
is selected from a group consisting of HTML, XML and SGML. 



57 .(Original) The software product as recited in Claim 49, wherein the access control 
management further composes a user manager coupled to a database including a 
list of authorized users and respective access privileges associated with each of the 
authorized users. 



bB.(Original) The software product as recited in Claim 57, wherein the program code for 
authenticating the user comprises: 

program code for looking up in the database for the user; and 
program code for gettirtg. from the database, access location information as to 
where the user is authorized to access the electronic data if the user is 
located in the database. 
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59. (Original) The software product as recited in Claim 58, wherein the identifier further 
identifiers the client machine; and wherein the program code for authenticating the 
user comprises program code for determining; from the access location information, 
whether the client machine is permitted by Hfe user to access the electronic data. 

60. (Previously amended) The software product as recited in Claim 58, wherein the 
access location information pertains to locations or specific client machines from 
which the user is authorized to access/the electronic data. 

61. (Original) The software product as recited in Claim 48, wherein the user key is in the 
client machine; and wherein the program code for activating the user key comprises: 

program code for sending an/authentication message to the client machine; and 
program code for activating /the user key with the authentication message. 

\ 62. (Original) The software product as recited in Claim 61, wherein the electronic data, 
\i when secured, includes a header and an encrypted data portion; and wherein the 
header includes security information that can be accessed with the activated u6er 
key. / 

6Z. (Cancelled) ^ j 

^.(Original) The software product as recited in Claim 48 further comprising program 
code for associating the activated user key with the user locally. 

6S.(Original) The software product as recited in Claim 64, wherein the electronic data, 
when secured, includes a header and an encrypted data portion, the header 
includes security information and a file key; and wherein the software product further 
comprises: / 

program bode for receiving the header from the client machine; 
programf code for decrypting the header to retrieve access rules in the security 
Information; and 
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program code for retrieving the fileljey'when the access rules are measured 
successfully against accpssTpriviiege of the user. 



C( 




66. (Original) The software product as recited in Claim 65 further comprising sending 
the file key^tflhe client machine in which the encrypted data portion can be 
ted with the file key by a cipher module executing in the client machine. 




67. (Currently amended) A software product to be executable in a computing device for 
providing access control management to electronic data, the software product 
comprising: 

program code for authenticating a user attempting to access the electronic data; 
program code for maintaining a private key and a public key, both associated 
with the user, wherein the electronic data, when secured, includes a header 
and an encrypted /data portion, the header further includes security 
information controlling restrictive access to the encrypted data portion and 
protecting the private key and a pub l io koy by access rules therein; 
program code for encrypting the security information with the public key when the 

electronic data p to be written into a store; and 
program code for decrypting the security information with the private key when 
the electronic data is to be accessed by an application. 



r v 



68. (Original) The software prpduct as recited in Claim 67 ; wherein the program code for 
authenticating the user comprises: 

program code for establishing a link with a client machine from which the user is 

attempting to access the electronic data; 
program code for demanding credential information from the user; and 
program code for/eceiving the credential information from the client machine 
over the secured link. 



^.(Original) The software product as recited in Claim 68, wherein the credential 
information includes a pair of usemame and password provided by the user. 
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70. (Original) The software product as recited in Claim 68, wherein the credential 
information includes biometricjinformation captured from the user by an apparatus 
coupled to the client machine.! 



71 . (Previously amended) The software product as recited in Claim 68, wherein the 
program code for encrypting the security information with the public key comprises: 
program code for receiving the access rules and a file key from the client 
machine over the linkj wherein the file key has been used to produce the 
encrypted data portioi in the client machine; 
program code for including the access rules and a file key into the security 
information; and 

program code for encrypting the security information with the public key. 

Unoriginal) The software product as recited in Claim 71 further comprising: 

program code for generating the header with the security information encrypted 

therein; and j 
program code for uploading the header to the client machine where the header is 

integrated with the encrypted data portion. 

73. (Original) The software product as recited in Claim 74, wherein the access rules are 
expressed in a markup language. 



74. (Original) The software ptoduct as recited in Claim 73, wherein the markup 
language is one of Extensible Access Control Markup Language, HTML, XML and 
SGML. 



75. (Original) The software product as recited in Claim 68, wherein the program code for 
decrypting the security information with the private key comprises: 

program code for receiving the header from the client machine over the link; 
program code for parking the security information from the header: and 
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program code for decrypting the security infomiptfon with the private key. 

76. (Original) The software product as recitedjrtXIaim 75 further comprising: 
program code for obtaining access/ljles from the security information; 
program code for determining ^Kether the access rules accommodate access 

privilege of the user; 
when the determining wrfgram code is executed successfully, 
program code for reprieving a file from the security information; and 
program code founding the file key to the client machine over the link, 
when the determining program code is executed unsuccessfully, 
program pride for sending an error message to the client machine over the link. 




P 



77. (Origin/aft) The software product as recited in Claim 76 wherein the error message 
ate that the user does not have the access privilege to access the electronic 
£ta. 

J- _ 

, (Currently amended) A software product to be executable in a computing device for 
providing access control management to electronic data, the software product 
comprising: 

program code for receiving a request to access the electronic data; 
program code for determining security nature of the electronic data; 
when the security nature indicates that the electronic data is secured, wherein 
the electronic data including a header and an encrypted data portion, the 
header including security information and the encrypted data portion is an 
encrypted version jf the electronic data according to a predetermined 
encryption scheme, 

program code'for determining from the security information if the user has 
necessaiy access privilege to access the encrypted data portion; and 
program code for a file key from the security i nformation ap H rWryptin^ 
the encjVpted data portion only after the access privilege of the user is 
permitted in view of the security information. 



>1 
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79. (Original) The software product as recited in Claim 78 further, comprising program 
code for retrieving a user key associated with a user making the request. 

80. (Original) The software product as recited in Claim 79 wherein the program code for 
determining from the security information, if the user has necessary access privilege, 
comprises: 

program code for decrypting/the security information with the user key; 
program code for retrieving access rules from the security information; and 
program code for measuring the access rules against the access privilege of the 
user. 

81. (Cancelled) 



\ 



82. {Original) The software product as recited in Claim 80 further comprising: 

program code for causing the client machine to display an error message to the 
user if the measuring of the access rules against the access privilege fails. 



B3.{Original) The software product as recited in Claim 80, wherein the program code for 
retrieving the user key comprises: 

program code for establishing a link with a server executing an access control 
management; 

program code for sending to the server an authentication request including an 
identifier identifying the user for the access control management to 
authenticate the user; 
program code for forwarding the header to the server; and 
program code for receiving a file key retrieved from the header. 

84. (Original) The softward product as recited in Claim 83 further comprising: 
program code for activating a cipher module; and 
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program code for decrypting the encrypted data portion by ipe cipher module 
with the received file key. 

^.(Original) The software product as recited in Claim 84*urther comprising program 
code for loading the decrypted data portion into thyapplication. 

86. (Original) The software product as recited in^claim 79, wherein the program code for 
retrieving the user key comprises: 

program code for establishing a lirjk'with a server executing an access control 
management; 

program code for sending to/fhe server an authentication request including an 
identifier Identifying thy jser for the access control management to 
authenticate the us 

program code for receiving an authentication message after the user is 
authenticatedi/and 

program code for activating the user key locally in the client machine. 

87. (Original) The/software product as recited in Claim 86, wherein the user key is in an 
illegible forrnat before the activating of the user key locally in the client machine. 

8B.(Origindl) The software product as recited in Claim 86, wherein the computing device 
is a rcfedia player having a network capacity, the media player generating audio 
and/or video from the electronic data when the software product is executed in the 
nedia player. 
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